{{- $externalSecretStoresEnabled := include "crossplane.externalSecretStoresEnabled" . | eq "true" -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ template "crossplane.name" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "crossplane.name" . }}
    release: {{ .Release.Name }}
    {{- include "crossplane.labels" . | indent 4 }}
  {{- with .Values.customAnnotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
spec:
  replicas: {{ .Values.replicas }}
  selector:
    matchLabels:
      app: {{ template "crossplane.name" . }}
      release: {{ .Release.Name }}
  strategy:
    type: {{ .Values.deploymentStrategy }}
  template:
    metadata:
      {{- if or .Values.metrics.enabled .Values.customAnnotations }}
      annotations:
      {{- end }}
      {{- if .Values.metrics.enabled }}
        prometheus.io/path: /metrics
        prometheus.io/port: "8080"
        prometheus.io/scrape: "true"
      {{- end }}
      {{- with .Values.customAnnotations }}
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        app: {{ template "crossplane.name" . }}
        release: {{ .Release.Name }}
        {{- include "crossplane.labels" . | indent 8 }}
    spec:
      {{- with .Values.podSecurityContextCrossplane }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if .Values.priorityClassName }}
      priorityClassName: {{ .Values.priorityClassName  | quote }}
      {{- end }}
      serviceAccountName: {{ template "crossplane.name" . }}
      hostNetwork: {{ .Values.hostNetwork }}
      initContainers:
        - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
          args:
          - core
          - init
          {{- range $arg := .Values.provider.packages }}
          - --provider
          - "{{ $arg }}"
          {{- end }}
          {{- range $arg := .Values.configuration.packages }}
          - --configuration
          - "{{ $arg }}"
          {{- end }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          name: {{ .Chart.Name }}-init
          resources:
            {{- toYaml .Values.resourcesCrossplane | nindent 12 }}
          {{- with .Values.securityContextCrossplane }}
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          env:
          - name: GOMAXPROCS
            valueFrom:
              resourceFieldRef:
                containerName: {{ .Chart.Name }}-init
                resource: limits.cpu
                divisor: "1"
          - name: GOMEMLIMIT
            valueFrom:
              resourceFieldRef:
                containerName: {{ .Chart.Name }}-init
                resource: limits.memory
                divisor: "1"
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: POD_SERVICE_ACCOUNT
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
          {{- if .Values.webhooks.enabled }}
          - name: "WEBHOOK_SERVICE_NAME"
            value: {{ template "crossplane.name" . }}-webhooks
          - name: "WEBHOOK_SERVICE_NAMESPACE"
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: "WEBHOOK_SERVICE_PORT"
            value: "9443"
          {{- else }}
          - name: "WEBHOOK_ENABLED"
            value: "false"
          {{- end }}
          {{- if $externalSecretStoresEnabled }}
          - name: "ESS_TLS_SERVER_SECRET_NAME"
            value: ess-server-certs
          {{- end }}
          - name: "TLS_CA_SECRET_NAME"
            value: crossplane-root-ca
          - name: "TLS_SERVER_SECRET_NAME"
            value: crossplane-tls-server
          - name: "TLS_CLIENT_SECRET_NAME"
            value: crossplane-tls-client
      containers:
      - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
        args:
        - core
        - start
        {{- range $arg := .Values.args }}
        - {{ $arg }}
        {{- end }}
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        name: {{ .Chart.Name }}
        resources:
          {{- toYaml .Values.resourcesCrossplane | nindent 12 }}
        startupProbe:
          failureThreshold: 30
          periodSeconds: 2
          tcpSocket:
            port: readyz
        ports:
        - name: readyz
          containerPort: 8081
        {{- if .Values.metrics.enabled }}
        - name: metrics
          containerPort: 8080
        {{- end }}
        {{- if .Values.webhooks.enabled }}
        - name: webhooks
          containerPort: 9443
        {{- end }}
        {{- with .Values.securityContextCrossplane }}
        securityContext:
          {{- toYaml . | nindent 12 }}
        {{- end }}
        env:
          - name: GOMAXPROCS
            valueFrom:
              resourceFieldRef:
                containerName: {{ .Chart.Name }}
                resource: limits.cpu
                divisor: "1"
          - name: GOMEMLIMIT
            valueFrom:
              resourceFieldRef:
                containerName: {{ .Chart.Name }}
                resource: limits.memory
                divisor: "1"
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: POD_SERVICE_ACCOUNT
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
          - name: LEADER_ELECTION
            value: "{{ .Values.leaderElection }}"
          {{- if .Values.registryCaBundleConfig.key }}
          - name: CA_BUNDLE_PATH
            value: "/certs/{{ .Values.registryCaBundleConfig.key }}"
          {{- end}}
          {{- if not .Values.webhooks.enabled }}
          - name: "WEBHOOK_ENABLED"
            value: "false"
          {{- end }}
          - name: "TLS_SERVER_SECRET_NAME"
            value: crossplane-tls-server
          - name: "TLS_SERVER_CERTS_DIR"
            value: /tls/server
          - name: "TLS_CLIENT_SECRET_NAME"
            value: crossplane-tls-client
          - name: "TLS_CLIENT_CERTS_DIR"
            value: /tls/client
        {{- range $key, $value := .Values.extraEnvVarsCrossplane }}
          - name: {{ $key | replace "." "_" }}
            value: {{ $value | quote }}
        {{- end}}
        volumeMounts:
          - mountPath: /cache
            name: package-cache
          {{- if .Values.registryCaBundleConfig.name }}
          - mountPath: /certs
            name: ca-certs
          {{- end }}
          {{- if .Values.extraVolumeMountsCrossplane }}
          {{- toYaml .Values.extraVolumeMountsCrossplane | nindent 10 }}
          {{- end }}
          - mountPath: /tls/server
            name: tls-server-certs
          - mountPath: /tls/client
            name: tls-client-certs
      volumes:
      - name: package-cache
        {{- if .Values.packageCache.pvc }}
        persistentVolumeClaim:
          claimName: {{ .Values.packageCache.pvc }}
        {{- else if .Values.packageCache.configMap }}
        configMap:
          name: {{ .Values.packageCache.configMap }}
        {{- else }}
        emptyDir:
          medium: {{ .Values.packageCache.medium }}
          sizeLimit: {{ .Values.packageCache.sizeLimit }}
        {{- end }}
      {{- if .Values.registryCaBundleConfig.name }}
      - name: ca-certs
        configMap:
          name: {{ .Values.registryCaBundleConfig.name }}
          items:
            - key: {{ .Values.registryCaBundleConfig.key }}
              path: {{ .Values.registryCaBundleConfig.key }}
      {{- end }}
      - name: tls-server-certs
        secret:
          secretName: crossplane-tls-server
      - name: tls-client-certs
        secret:
          secretName: crossplane-tls-client
      {{- if .Values.extraVolumesCrossplane }}
      {{- toYaml .Values.extraVolumesCrossplane | nindent 6 }}
      {{- end }}
      {{- if .Values.nodeSelector }}
      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
      {{- end }}
      {{- if .Values.tolerations }}
      tolerations: {{ toYaml .Values.tolerations | nindent 6 }}
      {{- end }}
      {{- if .Values.affinity }}
      affinity: {{ toYaml .Values.affinity | nindent 8 }}
      {{- end }}
